Opened 8 months ago

Closed 6 months ago

Last modified 6 months ago

#28881 closed Cleanup/optimization (fixed)

Document that CommonPasswordValidator assumes all words are lower case

Reported by: Nick Farrell Owned by: Karmen
Component: Documentation Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Nick Farrell)

The CommonPasswordValidator holds a set of common passwords in memory, after strip()ing any whitespace.
While validating a password, it converts it to lowercase before comparing to the set. However, the reference set was not converted to lowercase.

This is not a problem when using the default set of common passwords, as they have been preprocessed to be lowercase. However, there is nothing in the documentation indicating this preprocessing should occur.

Change History (8)

comment:1 Changed 8 months ago by Nick Farrell

Description: modified (diff)

comment:2 Changed 8 months ago by Nick Farrell

Description: modified (diff)

comment:3 Changed 8 months ago by Nick Farrell

Version: 1.112.0

comment:4 Changed 8 months ago by Tim Graham

Component: UncategorizedDocumentation
Summary: Common password validator does not handle case correctlyDocument that CommonPasswordValidator assumes all words are lower case
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

I think documenting the existing requirement for the password list to be lower case would be fine. A documentation fix would address the problem for older versions of Django and also avoid unnecessary computations for lists that are already lower case.

comment:5 Changed 6 months ago by Karmen

Owner: changed from nobody to Karmen
Status: newassigned

comment:6 Changed 6 months ago by Carlton Gibson

Has patch: set
Triage Stage: AcceptedReady for checkin

PR adds small doc fix.

comment:7 Changed 6 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 4fcd28d:

Fixed #28881 -- Doc'd that CommonPasswordValidator's password list must be lowercase.

comment:8 Changed 6 months ago by Tim Graham <timograham@…>

In 146317b7:

[2.0.x] Fixed #28881 -- Doc'd that CommonPasswordValidator's password list must be lowercase.

Backport of 4fcd28d442c2fec56f544f99cb658f33f847824c from master

Note: See TracTickets for help on using tickets.
Back to Top